Configuring the Box Shared Links Control Policy

Cloud App Security pre-defines a separate Data Loss Prevention policy that enables the Box administrator to manage shared links to content stored in your organization's Box environment. This helps reduce the risk of undesirable access to your organization's sensitive data through accidental creation of shared links by users.


In this release, Cloud App Security supports control over open shared links only. Open shared links are those set to publicly accessible and no Box account sign-in required.

This policy is independent of the other Data Loss Prevention policies for Box and cannot be prioritized.

New customers can use this policy right after provisioning a service account for Box; existing users need to go to Administrations > Service Account to recreate an access token for Box before you can enable this policy.

To allow creation of open shared links to any file or folder across your organization's Box environment, disable this policy. By default, this policy is disabled. When enabled, Cloud App Security monitors the creation of shared links to files and folders in your organization's Box user accounts, and upon detection, allows the creation or removes the link based on the action configured by the administrator in the policy.

This policy is designed to apply to all Box user accounts in your organization. Configure the policy to exclude certain user accounts and items (files and folders) from this policy, that is, to allow creating open shared links to specified files and folders under specified user accounts.

Before using this policy, be aware of the following limitations:

  • Cloud App Security does not monitor the creation of open shared links to files that reside right under the root path /All Files of a Box user account.

  • For the folders that reside right under the root path /All Files of a Box user account, Cloud App Security monitors the creation of open shared links to a maximum of 1,000 of them.

  • Cloud App Security does not handle the open shared links already created before this policy is configured and enabled.

  • Cloud App Security does not support manual scan for this policy.

  • This policy cannot be duplicated or deleted.

  1. Under Box Policies, click Shared Links Control Policy.

    The Shared Links Control policy configuration screen appears.

  2. On the General tab, select Enable Shared Links Control.
  3. Specify or modify the policy name and description.
  4. Click the Shared Links Control tab.
  5. Configure Action settings.
    Option Description

    Remove link

    Cloud App Security removes the open shared link, the corresponding file or folder cannot be opened through this link.


    Cloud App Security records the detection in a log and allows the open shared link to the file or folder.

    Option Description


    Cloud App Security sends a notification email message to the administrator or user according to the Notification settings.

    Do not notify

    Cloud App Security only takes the configured action on the shared link and does not send out any notification email message.

  6. Configure Exceptions settings.

    Define user accounts and items (files or folders) to exclude from this policy.

    Option Description

    Add an exception

    A maximum of 100 entries is supported.

    1. Click Add.

      The Add Exception screen appears.

    2. Select users or groups to allow creating open shared links to items under these accounts.

    3. Specify the path to a file or folder under the selected user accounts to allow creating an open shared link to.

      Below are some instructions on how to specify a valid file or folder path:

      • Start with a slash /. Cloud App Security will automatically add the root path part /All Files. For example, to add a folder path, type /example1/example2; to add a file path, enter /example1/example2.txt.

      • Wildcard characters are not supported.

      • To specify all items, type /.

      • To specify all items under a folder, end with a slash, for example, /example1/. Cloud App Security will monitor every file or subfolder under folder example1.

      • To specify any item under a folder whose name starts with specified characters, type the characters, for example, /example1/exam. Cloud App Security will monitor every file and subfolder under folder example1 whose name starts with exam.

    4. Click the green add icon.

    5. Repeat steps c and d to add more file or folder paths.

      A maximum of 10 paths is supported.

    6. Click Save.

    To delete a path, click the red delete icon.

    To modify a path, click the red delete icon and specify a path again.

    Edit an exception

    Select an entry and click Edit.

    Delete exceptions

    Select one or multiple entries and click Delete.

  7. Configure Notification settings.
    Option Description

    Notify administrator

    1. Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups. For details, see Configuring Recipient Groups.

    2. Specify message details to notify administrators that Cloud App Security detected an open shared link creation and took action on the link.

    Notify User

    Specify message details that notify the user under whose account an open shared link was created that Cloud App Security detected the creation and took action on the shared link.